Back

Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers

June 7, 2024, 8:07 a.m.

Tags

malware
cryptocurrency
cloud
2024-06-07
cryptojacking
docker
containers
ziggystartux

External References

https://www.trendmicro.com/

https://www.trendmicro.com/

https://otx.alienvault.com/

Description

This report details a cryptojacking campaign exploiting exposed Docker remote API servers. Threat actors employ the cmd.cat/chattr Docker image for initial access, utilizing techniques like chroot and volume binding to break out of the container and access host systems. They deploy cryptocurrency miners and establish command and control infrastructure. The analysis provides indicators of compromise, recommended mitigations, and relevant MITRE ATT&CK techniques.

Date

Published Created Modified
June 7, 2024, 7:48 a.m. June 7, 2024, 7:48 a.m. June 7, 2024, 8:07 a.m.

Indicators

9e824ebfca16f16980172ec0652244c650e48da3f17eb296bb0a544e68faa671

9c7a12678651d72127c3c6e4dac250439fa4a3be0a8728754cea327c86a529a2

80.239.140.66

45.9.148.193

http://cmd.cat/chattr

Attack Patterns

ZiggyStarTux

T1611

T1610

T1132.001

T1059.004

T1105

T1190